Friday, August 26, 2011

It's no secret, I <3 splunk. But I'm not here to tell you why you NEED splunk (just take my word for it). I'm here to let you know about splunk-auth-proxy. splunk-auth-proxy is a simple node.js web app written in coffeescript which allows you to use Google Apps OpenID authentication to authenticate splunk access. It was written primarily by my co-worker Jonathan Rudenberg with a little help from me. So how do we use it?

I would highly suggest using a systems management system to automate deployment (we prefer chef). However, here I'll provide manual installation instructions for those less fortunate sysadmins.

splunk-auth-proxy requires you to specify the location of the SSL private key and certificate you want to use as well as your Google Apps domain name and secret (creating your SSL private key and certificate is outside the scope of this howto).

In $SPLUNK_HOME/etc/system/local/ add the following to server.conf and web.conf

server.conf[general]
trustedIP = 127.0.0.1

web.conf[settings]
enableSplunkWebSSL = 0
trustedIP = 127.0.0.1
SSOMode = strict
remoteUser = Remote-User
As documented in the splunk SSO docs, you will need to make sure you have already set up splunk users that match your Google Apps users. The quick and dirty solution is to download your Google Apps user list as a .csv and then use a script like useradd-csv2splunk.sh, included with splunk-auth-proxy, to bulk add the users. You will need to update the script with proper splunk admin credentials and have a properly formatted .csv. The format for the .csv file is:

And there you have it! You should now have a fully functional SSO proxy sitting in front of splunk allowing your users to forget one more password! As a bonus, you also now have simple two-factor authentication capabilities ready to go if you use Google Apps two-step verification.